I am running a multisite with about 50 client sites

Hello. I am running a multisite with about 50 client sites on 4.1.1. It is running on a dedicated cloud server. Every few days i find a strange php file uploaded to the root of my wordpress install. The file is called EX-Same.php It will be owned by www-data and have 0644.

The site did not go down however to be safe, I moved the install to another cloud server with diff IP and a fresh wp install . Replaced the plugins and themes. Checked the database. Installed wordfence. Double checked dir permissions. changed all pwords etc etc..

After all that it happened again.

Have you guys seen this before? Would you have any suggestions on a security hole im missing? Though the sites havent gone down and no one has accessed the control panel this is making me lose sleep.

Please let me know if you have any suggestions.

  • Timothy Bowers

    Het dg2,

    Hope you're well today! :slight_smile:

    Well... As you know, files don't create themselves so something must be doing it. The first thing I'd often thing if files start to appear is that the site has been compromised somehow.

    Can you ask your host to review the access logs and let you know how the file was created and from where?

    I guess you checked the admin of the site to ensure no other admin accounts have been created? Any custom roles, and custom role plugins?

    Check other folders for anything fishy.

    What code is in the file?

    Ensure your permissions for folders and files are set recursively throughout the install, and that they are set correctly for your environment, often 644 for files, 755 for folders. The wp-config.php file should be something like 440 to prevent other users on the server reading it.

    You should probably look at the plugin and theme versions you have, then sure they're up to date. Maybe even search to see if there are any reported vulnerabilities.

    Take a look at Sucuri too:

    https://sucuri.net/

    And their WordPress blog:

    http://blog.sucuri.net/category/wordpress-security

    They often announce security issues with plugins, themes, and the core if needed.

    Make sure you keep plenty of backups, and often! :slight_smile:

    https://premium.wpmudev.org/blog/keeping-wordpress-secure-the-ultimate-guide/

    Take care.

  • dg2

    Timothy,

    Thanks for the reply. I had actually gone through the whole ultimate guide already but I did get a few additional ideas from your reply. I also checked out sucuri and will keep them in mind as a possible added measure. ...

    I have made a few other changes on the server and am continuing to closely monitor the system. once i feel more certain i will post some of the steps ive taken in case anyone can benefit. Thanks again.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.